[WebProfilerBundle] Disable CSP if dumper was used

herndlm · fabpot · commit 5dc263726306 · 2021-03-12T07:08:12.000+01:00
diff --git a/src/Symfony/Bundle/WebProfilerBundle/EventListener/WebDebugToolbarListener.php b/src/Symfony/Bundle/WebProfilerBundle/EventListener/WebDebugToolbarListener.php
@@ -16,6 +16,7 @@
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\Response;
 use Symfony\Component\HttpFoundation\Session\Flash\AutoExpireFlashBag;
+use Symfony\Component\HttpKernel\DataCollector\DumpDataCollector;
 use Symfony\Component\HttpKernel\Event\ResponseEvent;
 use Symfony\Component\HttpKernel\KernelEvents;
 use Symfony\Component\Routing\Generator\UrlGeneratorInterface;
@@ -44,15 +45,17 @@ class WebDebugToolbarListener implements EventSubscriberInterface
     protected $mode;
     protected $excludedAjaxPaths;
     private $cspHandler;
+    private $dumpDataCollector;
 
-    public function __construct(Environment $twig, bool $interceptRedirects = false, int $mode = self::ENABLED, UrlGeneratorInterface $urlGenerator = null, string $excludedAjaxPaths = '^/bundles|^/_wdt', ContentSecurityPolicyHandler $cspHandler = null)
+    public function __construct(Environment $twig, bool $interceptRedirects = false, int $mode = self::ENABLED, UrlGeneratorInterface $urlGenerator = null, string $excludedAjaxPaths = '^/bundles|^/_wdt', ContentSecurityPolicyHandler $cspHandler = null, DumpDataCollector $dumpDataCollector = null)
     {
         $this->twig = $twig;
         $this->urlGenerator = $urlGenerator;
         $this->interceptRedirects = $interceptRedirects;
         $this->mode = $mode;
         $this->excludedAjaxPaths = $excludedAjaxPaths;
         $this->cspHandler = $cspHandler;
+        $this->dumpDataCollector = $dumpDataCollector;
     }
 
     public function isEnabled(): bool
@@ -89,7 +92,14 @@ public function onKernelResponse(ResponseEvent $event)
             return;
         }
 
-        $nonces = $this->cspHandler ? $this->cspHandler->updateResponseHeaders($request, $response) : [];
+        $nonces = [];
+        if ($this->cspHandler) {
+            if ($this->dumpDataCollector && $this->dumpDataCollector->getDumpsCount() > 0) {
+                $this->cspHandler->disableCsp();
+            }
+
+            $nonces = $this->cspHandler->updateResponseHeaders($request, $response);
+        }
 
         // do not capture redirects or modify XML HTTP Requests
         if ($request->isXmlHttpRequest()) {
diff --git a/src/Symfony/Bundle/WebProfilerBundle/Resources/config/toolbar.php b/src/Symfony/Bundle/WebProfilerBundle/Resources/config/toolbar.php
@@ -24,6 +24,7 @@
                 service('router')->ignoreOnInvalid(),
                 abstract_arg('paths that should be excluded from the AJAX requests shown in the toolbar'),
                 service('web_profiler.csp.handler'),
+                service('data_collector.dump')->ignoreOnInvalid(),
             ])
             ->tag('kernel.event_subscriber')
     ;
diff --git a/src/Symfony/Bundle/WebProfilerBundle/Tests/DependencyInjection/WebProfilerExtensionTest.php b/src/Symfony/Bundle/WebProfilerBundle/Tests/DependencyInjection/WebProfilerExtensionTest.php
@@ -20,6 +20,7 @@
 use Symfony\Component\ErrorHandler\ErrorRenderer\HtmlErrorRenderer;
 use Symfony\Component\EventDispatcher\DependencyInjection\RegisterListenersPass;
 use Symfony\Component\EventDispatcher\EventDispatcher;
+use Symfony\Component\HttpKernel\DataCollector\DumpDataCollector;
 use Symfony\Component\HttpKernel\KernelInterface;
 
 class WebProfilerExtensionTest extends TestCase
@@ -55,6 +56,7 @@ protected function setUp(): void
         $this->kernel = $this->createMock(KernelInterface::class);
 
         $this->container = new ContainerBuilder();
+        $this->container->register('data_collector.dump', DumpDataCollector::class)->setPublic(true);
         $this->container->register('error_handler.error_renderer.html', HtmlErrorRenderer::class)->setPublic(true);
         $this->container->register('event_dispatcher', EventDispatcher::class)->setPublic(true);
         $this->container->register('router', $this->getMockClass('Symfony\\Component\\Routing\\RouterInterface'))->setPublic(true);
diff --git a/src/Symfony/Bundle/WebProfilerBundle/Tests/EventListener/WebDebugToolbarListenerTest.php b/src/Symfony/Bundle/WebProfilerBundle/Tests/EventListener/WebDebugToolbarListenerTest.php
@@ -12,11 +12,13 @@
 namespace Symfony\Bundle\WebProfilerBundle\Tests\EventListener;
 
 use PHPUnit\Framework\TestCase;
+use Symfony\Bundle\WebProfilerBundle\Csp\ContentSecurityPolicyHandler;
 use Symfony\Bundle\WebProfilerBundle\EventListener\WebDebugToolbarListener;
 use Symfony\Component\HttpFoundation\HeaderBag;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\Response;
 use Symfony\Component\HttpFoundation\Session\Session;
+use Symfony\Component\HttpKernel\DataCollector\DumpDataCollector;
 use Symfony\Component\HttpKernel\Event\ResponseEvent;
 use Symfony\Component\HttpKernel\HttpKernelInterface;
 use Symfony\Component\HttpKernel\Kernel;
@@ -300,6 +302,48 @@ public function testThrowingErrorCleanup()
         $this->assertEquals('Exception: This multiline tabbed text should come out on a single plain line', $response->headers->get('X-Debug-Error'));
     }
 
+    public function testCspIsDisabledIfDumperWasUsed()
+    {
+        $response = new Response('<html><head></head><body></body></html>');
+        $response->headers->set('X-Debug-Token', 'xxxxxxxx');
+
+        $event = new ResponseEvent($this->createMock(Kernel::class), $this->getRequestMock(), HttpKernelInterface::MASTER_REQUEST, $response);
+
+        $cspHandler = $this->createMock(ContentSecurityPolicyHandler::class);
+        $cspHandler->expects($this->once())
+            ->method('disableCsp');
+        $dumpDataCollector = $this->createMock(DumpDataCollector::class);
+        $dumpDataCollector->expects($this->once())
+            ->method('getDumpsCount')
+            ->willReturn(1);
+
+        $listener = new WebDebugToolbarListener($this->getTwigMock(), false, WebDebugToolbarListener::ENABLED, null, '', $cspHandler, $dumpDataCollector);
+        $listener->onKernelResponse($event);
+
+        $this->assertEquals("<html><head></head><body>\nWDT\n</body></html>", $response->getContent());
+    }
+
+    public function testCspIsKeptEnabledIfDumperWasNotUsed()
+    {
+        $response = new Response('<html><head></head><body></body></html>');
+        $response->headers->set('X-Debug-Token', 'xxxxxxxx');
+
+        $event = new ResponseEvent($this->createMock(Kernel::class), $this->getRequestMock(), HttpKernelInterface::MASTER_REQUEST, $response);
+
+        $cspHandler = $this->createMock(ContentSecurityPolicyHandler::class);
+        $cspHandler->expects($this->never())
+            ->method('disableCsp');
+        $dumpDataCollector = $this->createMock(DumpDataCollector::class);
+        $dumpDataCollector->expects($this->once())
+            ->method('getDumpsCount')
+            ->willReturn(0);
+
+        $listener = new WebDebugToolbarListener($this->getTwigMock(), false, WebDebugToolbarListener::ENABLED, null, '', $cspHandler, $dumpDataCollector);
+        $listener->onKernelResponse($event);
+
+        $this->assertEquals("<html><head></head><body>\nWDT\n</body></html>", $response->getContent());
+    }
+
     protected function getRequestMock($isXmlHttpRequest = false, $requestFormat = 'html', $hasSession = true)
     {
         $request = $this->getMockBuilder(Request::class)->setMethods(['getSession', 'isXmlHttpRequest', 'getRequestFormat'])->disableOriginalConstructor()->getMock();
diff --git a/src/Symfony/Bundle/WebProfilerBundle/Tests/Functional/WebProfilerBundleKernel.php b/src/Symfony/Bundle/WebProfilerBundle/Tests/Functional/WebProfilerBundleKernel.php
@@ -10,6 +10,7 @@
 use Symfony\Component\Config\Loader\LoaderInterface;
 use Symfony\Component\DependencyInjection\ContainerBuilder;
 use Symfony\Component\HttpFoundation\Response;
+use Symfony\Component\HttpKernel\DataCollector\DumpDataCollector;
 use Symfony\Component\HttpKernel\Kernel;
 use Symfony\Component\Routing\Loader\Configurator\RoutingConfigurator;
 
@@ -65,6 +66,7 @@ public function getLogDir()
 
     protected function build(ContainerBuilder $container)
     {
+        $container->register('data_collector.dump', DumpDataCollector::class);
         $container->register('logger', NullLogger::class);
     }
 

Original file line number	Diff line number	Diff line change
`@@ -24,6 +24,7 @@`
`24`	`24`	`service('router')->ignoreOnInvalid(),`
`25`	`25`	`abstract_arg('paths that should be excluded from the AJAX requests shown in the toolbar'),`
`26`	`26`	`service('web_profiler.csp.handler'),`
	`27`	`+ service('data_collector.dump')->ignoreOnInvalid(),`
`27`	`28`	`])`
`28`	`29`	`->tag('kernel.event_subscriber')`
`29`	`30`	`;`
Original file line number	Diff line number	Diff line change
`@@ -10,6 +10,7 @@`
`10`	`10`	`use Symfony\Component\Config\Loader\LoaderInterface;`
`11`	`11`	`use Symfony\Component\DependencyInjection\ContainerBuilder;`
`12`	`12`	`use Symfony\Component\HttpFoundation\Response;`
	`13`	`+use Symfony\Component\HttpKernel\DataCollector\DumpDataCollector;`
`13`	`14`	`use Symfony\Component\HttpKernel\Kernel;`
`14`	`15`	`use Symfony\Component\Routing\Loader\Configurator\RoutingConfigurator;`
`15`	`16`
`@@ -65,6 +66,7 @@ public function getLogDir()`
`65`	`66`
`66`	`67`	`protected function build(ContainerBuilder $container)`
`67`	`68`	`{`
	`69`	`+ $container->register('data_collector.dump', DumpDataCollector::class);`
`68`	`70`	`$container->register('logger', NullLogger::class);`
`69`	`71`	`}`
`70`	`72`